Copyright © 2026 Everyday Backups · everydaybackups.com · Secure cloud backup for small business & personal files
Windows Server Backup is a real, capable tool built into Windows Server at no extra cost. But by default it writes to a local disk or a network share that is online and reachable, which means it does not satisfy the off-site or air-gapped copy that CISA and the FTC recommend. This page explains honestly what the built-in tool does, where it leaves gaps, and what a complete backup plan for a small-business server actually looks like.
EverydayBackups is a paid managed, encrypted, monitored, off-site cloud backup service for small businesses. Paid plans from $5.99/mo.
A Windows Server in a small business tends to accumulate everything that matters. That is not a criticism of the setup, it is just how it works. Shared folders get mapped as network drives. QuickBooks company files get hosted there so multiple users can work in them simultaneously. A line-of-business application stores its database on the server. If the server also runs Active Directory, every user login and group policy in the building depends on it. Accounting records, document repositories, and years of business data live in one place, in one building, on one machine.
That concentration is genuinely efficient during normal operations. It becomes a liability the moment something goes wrong. A single ransomware infection that reaches the server can encrypt every mapped drive and shared folder in one pass. A fire or flood in the server room takes down everything simultaneously. An accidental deletion of the wrong directory from a shared folder removes files that every user in the company depended on. The data is not lost because the server is poorly designed, it is concentrated because that is how a file server works, and concentration amplifies the consequence of any failure.
CISA's 3-2-1 backup rule is the most widely cited framework for addressing this: keep at least three copies of your data on at least two different types of media, with at least one copy stored off-site. The FTC's small-business guidance echoes the same principle: no single-location copy is adequate, and off-site storage is a core requirement for recovery from physical disasters. For a small business, the server is typically the primary copy. That means two additional independent copies are needed, at least one of which is off-site and not reachable from the same network.
The rest of this page focuses on what Windows Server Backup does and does not provide, what a complete plan looks like, and a set of honest answers to the most common questions.
Windows Server Backup is a real tool and it is worth describing accurately. It ships with Windows Server as an optional feature, it is free to install, and it is more capable than many people realize. It is also not enough on its own, for specific and grounded reasons.
Windows Server Backup can perform full server backups, system state backups that include Active Directory and the registry, bare-metal recovery images, and volume-level backups. It supports Volume Shadow Copy Service, which allows it to capture consistent snapshots of volumes including files that are currently open. It can be scheduled to run automatically on a daily or custom schedule. For a business that has never backed up its server at all, enabling Windows Server Backup is a meaningful improvement.
The gap is where the backup goes. By default, Windows Server Backup writes to a locally attached disk or to a network share. Both of those destinations are online and reachable from the server during normal operation. That matters for two reasons that CISA's #StopRansomware guidance makes explicit.
None of this makes Windows Server Backup a poor tool. For the job it was designed for, which is creating recoverable backups on hardware you control in your location, it works. The issue is that it does not, on its own, satisfy the off-site and air-gapped requirements that protect against the scenarios most likely to result in permanent data loss.
It is also worth noting that if your server runs RAID, the RAID array addresses availability through hardware failure, not backup. Ransomware encrypts the array along with everything else, accidental deletions propagate across the array immediately, and every disk in the array sits in the same building. RAID and Windows Server Backup together still leave you without an off-site copy. For a full explanation of why RAID does not substitute for backup, see the RAID is not a backup page.
A complete plan for a small-business Windows Server layers multiple copies, locations, and protections in a way that addresses the real failure scenarios: hardware failure, ransomware, accidental deletion, and physical disaster. The following criteria are grounded in CISA's 3-2-1 rule, CISA's #StopRansomware guidance, and FTC small-business recommendations.
If you want to evaluate your current exposure to ransomware specifically, the ransomware restore readiness guide walks through the questions worth asking before an incident occurs. For a broader checklist covering backup requirements across an entire small business, including workstations as well as servers, see the small-business backup checklist. If your server files are also synced with OneDrive, Dropbox, or a similar tool, see the cloud sync vs. backup page for an explanation of why sync is not a substitute for backup.
RAID keeps your server running through a disk hardware failure, and that is a real benefit worth having. But RAID is an availability tool, not a backup. When you delete a folder accidentally, RAID propagates the deletion across every disk in the array immediately and by design. When ransomware encrypts your files, it encrypts the entire RAID volume along with everything else, because the array is just a mounted volume the operating system can write to. There is also no off-site copy: every disk in a RAID array sits in the same enclosure in the same building. CISA's 3-2-1 rule requires at least one copy held off-site, and a RAID array does not satisfy that. For the full explanation, see the RAID is not a backup page.
Windows Server Backup is a capable tool and using it is better than using nothing. The honest reason to add an off-site backup solution alongside it is where the backup goes. Windows Server Backup writes to a local disk or network share that is online and reachable from the server. CISA's #StopRansomware guidance is explicit: at least one backup copy needs to be offline or air-gapped, meaning not accessible from the running system. A local attached drive or a network share does not satisfy that. An off-site cloud backup stored separately from your network fills the gap that Windows Server Backup leaves open, specifically for ransomware and physical disasters. The two can coexist: Windows Server Backup for local recovery convenience, an off-site backup for the scenarios that local storage cannot handle.
A NAS is a common and useful piece of infrastructure, but it is not the same as a backup by itself. A NAS that is continuously connected to the same network as your server is reachable by the same processes that can reach your server, including ransomware. If ransomware runs on a machine that has write access to the NAS, it can encrypt the NAS along with everything else. The NAS is also a physical device in your building, subject to the same fire, flood, and theft risks as the server. It can serve as the local copy in a 3-2-1 plan, but you still need an off-site copy that is not reachable from the network to satisfy the air-gapped requirement CISA recommends.
The data profile is different in two important ways. First, a server typically holds data that belongs to multiple users and multiple applications simultaneously. Shared folders, domain controller state, hosted databases, and line-of-business application data are all co-located on one machine. A failure or data loss event affects every user in the business at once, not just one person's workstation. Second, some of that data requires specific handling to back up correctly. Active Directory and domain controller state, for example, require a system state or authoritative restore approach that is different from simply copying files. A backup plan for a server needs to account for all of those data types, not just the shared file folders that are easiest to see.
This is a real concern for any business that keeps QuickBooks or a line-of-business database hosted on a server and running during the backup window. Files that are open and actively written to during a backup can end up in an inconsistent state if the backup simply copies them mid-write. The correct approach requires the backup to handle open files properly, typically through a mechanism like Volume Shadow Copy Service on Windows, which takes a consistent point-in-time snapshot of the volume even while files are in use. Windows Server Backup uses VSS for this purpose. Any backup solution you evaluate for a server hosting open databases or QuickBooks company files should explicitly support consistent open-file handling. It is worth testing a restore of those specific files, not just the folder structure, to confirm the recovered data is actually intact and usable.
Everyday Backups runs on Windows, iPhone, iPad, and Android. Set it once; it backs up automatically, encrypted, off-site. Paid plans from $5.99/mo.
Prefer to talk to a person? Call 850-980-3691
Want a second set of eyes? Schedule your free 15-minute Backup Risk Check with our team
Copyright © 2026 Everyday Backups · everydaybackups.com · Secure cloud backup for small business & personal files